You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one.

Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You should particularly use the first part of the GDPR’s two-year lead-in period to raise awareness of the changes that are coming. You may find compliance difficult if you leave your preparations until the last minute.

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, across the organisation, or within business areas.

The GDPR updates rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation, you must tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with. You should document this as doing so will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.

3. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently must give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice.

Under the GDPR there are some additional things you must tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the Information Commissioner’s Office if they think there is a problem with the way you are handling their data.

Note that the GDPR requires the information to be provided in concise, easy to understand and clear language. The Information Commissioner’s Office’s privacy notices code of practice reflects the new requirements of the GDPR.

4. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. The main rights for individuals under the GDPR will be:
• subject access
• to have inaccuracies corrected
• to have information erased
• to prevent direct marketing
• to prevent automated decision-making and profiling, and • data portability.

Overall, the rights individuals will enjoy under the GDPR are the same as those under the Data Protection Act but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy.

This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?

The right to data portability is new. This is an enhanced form of subject access where you must provide the data electronically and in a commonly used format. Many organisations will already provide the data in this way, but if you use paper print-outs or an unusual electronic format, now is a good time to revise your procedures and make any necessary changes.

5. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. The rules for dealing with subject access requests will change under the GDPR. In most cases, you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days. There will be different grounds for refusing to comply with subject access request – manifestly unfounded or excessive requests can be charged for or refused. If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria. You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected.

If your organisation handles many access requests, the impact of the changes could be considerable so the logistical implications of having to deal with requests more quickly and provide additional information will need thinking through carefully. It could ultimately save your organisation a great deal of administrative cost if you can develop systems that allow people to access their information easily online. Organisations should consider conducting a cost/benefit analysis of providing online access.

6. Legal bases for processing personal data

You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. Many organisations will not have thought about their legal basis for processing personal data.

Under the current law this does not have many practical implications. However, this will be different under the GDPR because some individuals’ rights will be modified depending on your legal basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. You will also have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request. The legal bases in the GDPR are broadly the same as those in the Data Protection Act so it should be possible to look at the various types of data processing you carry out and to identify your legal basis for doing so. Again, you should document this to help you comply with the GDPR’s ‘accountability’ requirements.

7. Consent

You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. Like the DPA, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not clear given that both forms of consent must be freely given, specific, informed and unambiguous. Consent also must be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.

If you rely on individuals’ consent to process their data, make sure it will meet the standards required by the GDPR. If not, alter your consent mechanisms or find an alternative to consent. Note that consent must be verifiable and that individuals generally have stronger rights where you rely on consent to process their data.

The GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.

8. Children

You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. In short, if your organisation collects information about children – in the UK this will probably be defined as anyone under 13 – then you will need a parent or guardian’s consent to process their personal data lawfully. This could have significant implications if your organisation aims services at children and collects their personal data.

Remember that consent must be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.

9. Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Some organisations are already required to notify the Information Commissioner’s Office (and possibly some other bodies) when they suffer a personal data breach.

However, the GDPR will bring in a breach notification duty across the board. This will be new to many organisations. Not all breaches must be notified to the Information Commissioner’s Office – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach.

You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach. This could involve assessing the types of data you hold and documenting which ones would fall within the notification requirement if there was a breach. In some cases, you must notify the individuals whose data has been subject to the breach directly, for example where the breach might leave them open to financial loss.

Larger organisations will need to develop policies and procedures for managing data breaches – whether at a central or local level. Note that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

10. Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the guidance the Information Commissioner’s Office has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. This guidance shows how PIAs can link to other organisational processes such as risk management and project management. You should start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally? It has always been good practice to adopt a privacy by design approach and to carry out a privacy impact assessment as part of this. A privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles. However, the GDPR will make this an express legal requirement.

Note that you do not always have to carry out a PIA – a PIA is required in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals. Note that where a PIA (or DPIA as the GDPR terms it) indicates high risk data processing, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.

11. Data Protection Officers

You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. The GDPR will require some organisations to designate a Data Protection Officer (DPO), for example public authorities or ones whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.

Therefore, you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.

12. International

If your organisation operates internationally, you should determine which data protection supervisory authority you come under. The GDPR contains quite complex arrangements for working out which data protection supervisory authority takes the lead when investigating a complaint with an international aspect, for example where a data processing operation affects people in several Member States.

Put simply, the lead authority is determined per where your organisation has its main administration or where decisions about data processing are made. In a traditional headquarters (branches model), this is easy to determine. It is more difficult for complex, multi-site companies where decisions about different processing activities are taken in different places. In case of uncertainty over which supervisory authority is the lead for your organisation, it would be helpful for you to map out where your organisation makes its most significant decisions about data processing. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority.

March is traditionally the time for a good spring clean and this should also apply to business as well! Organise a clear out of defunct machines, tidy up your server room do away with unruly cables. Get labelling and…

2. …create an asset register.

This way you know what IT assets you have avoiding any unnecessary expenditure in the future. An asset register also ensures that you can better prepare for future investment in IT (refresh cycles). We maintain asset registers on behalf of all our clients, if you need help creating your own asset register there are some great software that will help you do this automatically such as this one

3. Start thinking ahead and plan for the future.

Many businesses already know what their short, mid and long term goals are, so ensure IT is aligned by having an IT Strategy. Do a Google search, you will find some great templates.

4. Think of the environment and Go Green!

There are so many ways in which you can adopt a Green IT ethos into your business. Looking to The Cloud is one way to achieve your green credentials. Cloud Computing can mean so many different things (hosted server, hosted mails, hosted applications). Throughout 2017, we will be extolling the virtues of The Cloud and showing you ways in which your business can benefit from it.

5. Reduce Your Phone Bill…with VOIP.

VOIP stands for Voice Over IP and it basically means making calls using the internet. Although it’s take up is growing, the use of VOIP still has not reached the levels as seen in America for example. Which is surprising given how much money you can save over standard PSTN. We will be discussing VOIP as part of our Cloud Computing series so watch this space…

6. Are You Secure?

Along with the IT Housekeeping how about organising a Security Audit? Good IT security is essential in these times so audit your IT environment to plug any gaps in your security. See our guide here for some tips

7. Get Smart, Get DR!

There we go again sounding like a broken record but…having a good DR solution is the most important resolution you can make this year. Look for something that ensures that you are back up and running in the shortest time possible. Our 999RESTORE service is a great DR solution if you are looking. We guarantee a 1hr Return Time of Service (how much time you are down for) and a 1hr Return Point of Service (how much data max you will lose). Find out more here

This is without doubt the question we get asked most by our clients – and it demonstrates that security is upper most on their minds. Our answer is always yes…although there is no such thing as 100% security (be weary of companies that promise you 100% security). The dark types as we like to call them are a clever bunch and constantly develop sophisticated ways to bypass even the most robust security.

What we advocate is a layered approach to security and this simply means employing a number of precautionary measures to tackle the problem. The central idea behind layered security is the belief that the most effective way to protect IT systems from a broad range of attacks is by employing an array of counteracting strategies. Layered security efforts attempt to address problems with different kinds of hacking or phishing, denial of service attacks and other cyber attacks, as well as worms, viruses, malware and other kinds of more passive or indirect system invasions.

Our mantra at Supreme is Reduce, Remove, Secure. Some of the strategies we employ include:

1. Physical Security – seems like an obvious one but it is amazing how many businesses still take this for granted! Physical security is an important layer in any layered approach. Guards, gates, locks and key cards all help keep people away from systems that they shouldn’t touch or alter.

2. Network Security – A key layer, good network security measures should include firewalls, intrusion detection and prevention systems (IDS/IPS), and general networking equipment such as switches and routers configured with their security features enabled. Establish trust domains for security access and smaller local area networks (LANs) to shape and manage network traffic. Manufacturing companies may consider having a demilitarised zone between the industrial plant floor or space and the IT and corporate offices allowing data and services to be shared securely.

3. Computer Hardening – Well known (and published) software vulnerabilities are the number one way that intruders gain access to automation systems. Examples of Computer Hardening include the use of:

Antivirus software – Best of breed only. The top AV vendors have invested greatly to ensure that they can respond to the latest attacks.

5. The Human Layer – By far the most important precautionary layer because as we mentioned above there is no such thing as 100% security so constant user vigilance is key. The best antivirus software in the world will not prevent a user from clicking on a link within a malicious email

Absolute security may not be within reach however businesses effectively tackle the risks posed by these threats by following good practices.

To coincide with the Government’s £1.9bn cyber-security initiative, Supreme Systems are offering a Free IT Security Audit for any West Midlands company that registers an interest in November! To discuss your security needs please contact Julian Brettle on

Many organisations do not have a DR plan, or their plan is outdated. Keep it fresh. New applications are constantly deployed, and storage is growing by 50% per year on average. Be sure your plan keeps pace with business needs.

2. Test the plan

Your DR plan should be tested at least once a year. If you’re really serious about testing, try locking your workers out of the building and say ‘go’. Yes, this may be extreme, but this will ensure they know what to do if a disaster really strikes…

3. Decide what is important

You should identify what applications are vital and how long it will take to recover them. This will allow you to prioritise your recovery efforts and also help you identify what level of data protection your business requires for each application. It’s important to understand that not all applications have equal recovery requirements.

4. Recovery point?

Decide how much data you can afford to lose in the event of local (e.g., server/storage) and/or site failure. A couple of hours? Last night? Weekly? Then architect your plan accordingly.

5. Recovery time?

It’s also important to understand how soon your business critical applications must be back online after a failure before it starts to impact your business seriously? So how long before it starts to hurt…minutes? hours? Days? This information (as well as point 4 above) will help you choose the right DR solution for your business.

6. Disk-based snapshots to protect against Ransomware

Not all disasters are physical. Ransomware is becoming increasingly common (usually costing between £200 and £5,000) and can impact users and systems. Schedule frequent snapshots of your data, enabling granular file, folder, share recovery, to combat these attacks.

7. Keep real-time copies of your data

Data storage redundancy is your friend and can prevent hardware failure from becoming a disaster recovery situation at all.

8. “Deduplication” and “compression”- Tools for efficiency

When replicating storage, look to utilise bandwidth efficiently as this will directly affect your time for recovery. Deduplication and compression technologies are key to achieving this.

9. Encryption in flight

Take extra security precautions by utilising encryption. Even if you’re using private networks, prying eyes may be watching you.

10. Company image and reputation

Companies don’t expect to declare a disaster. If they do, protecting the company’s image is just as important as getting the information back online. If disaster strikes be honest with customers about the impact. Brand loyalty is extremely hard to rebuild. Many companies don’t recover from disasters.

Unfortunately, the use of a business’s IT by its users brings with it various risks. As such it is essential for all staff to be aware of their personal security responsibilities and the need to also comply with corporate security policies.

This can be achieved through regular security training and awareness programmes designed to increase the levels of security expertise and knowledge across the organisation as well as developing a security-conscious culture.

What is the risk?

Organisations that do not produce user security policies or train their users in good

security practices will be vulnerable to many of the following risks:

Unacceptable useWithout a clear policy on what is considered to be acceptable, certain actions by users may contravene good security practice and could lead to the compromise of personal or sensitive commercial information that could result in legal or regulatory sanctions and reputational damage

Removable media and personally owned devicesUnless it is clearly set out in policy and regularly communicated, staff may consider it acceptable to use their own removable media or connect their personal devices to the corporate infrastructure. This could potentially lead to the import of malware and the compromise of personal or sensitive commercial information

Legal and regulatory sanctionIf users are not aware of any special handling or the reporting requirements for particular classes of sensitive information the organisation may be subject to legal and regulatory sanctions

Incident reportingIf users do not report incidents promptly the impact of any incident could be compounded

Security Operating ProceduresIf users are not trained in the secure use of their organisation’s ICT systems or the functions of a security control, they may accidentally misuse the system, potentially compromising a security control and the confidentiality, integrity and availability of the information held on the system

External attackUsers remain the weakest link in the security chain and they will always be a primary focus for a range of attacks (phishing, social engineering, etc.) because, when compared to a technical attack, there is a greater likelihood of success and the attacks are cheaper to mount. In many instances, a successful attack only requires one user to divulge a logon credential or open an email with malicious content

Insider threatA significant change in an employee’s personal situation could make them vulnerable to coercion and they may release personal or sensitive commercial information to others. Dissatisfied users may try to abuse their system level privileges or coerce other users, to gain access to information or systems to which they are not authorised. Equally, they may attempt to steal or physically deface computer resources

How can the risk be managed?

Promote an incident reporting culture
The organisation should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, without fear of recrimination.

Support the formal assessment of Information Assurance (IA) skills
Staff in security roles should be encouraged to develop and formally validate their IA skills through enrolment on a recognised certification scheme for IA Professionals. Some security related roles such as system administrators, incident management team members and forensic investigators will require specialist training.

Establish a staff induction process
New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process. The terms and conditions for their employment (contracts for contractors and third party users) must be formally acknowledged and retained to support any subsequent disciplinary action. Ideally, the initial user registration process should also be linked to the organisation’s technical access controls.

Produce a user security policy
The organisation should develop and produce a user security policy (as part of their overarching corporate security policy) that covers acceptable use. Security procedures for all ICT systems should be produced that are appropriate and relevant to all business roles and processes.

Maintain user awareness of the cyber risks faced by the organisation
Without exception, all users should receive regular refresher training on the cyber risks to the organisation and to them as both employees and individuals.

Monitor the effectiveness of security training
Establish mechanisms to test the effectiveness and value of the security training provided to all staff. This should be done through formal feedback and potentially by including questions in the staff survey on security training and the organisation’s security culture. Those areas that regularly feature in security reports or achieve the lowest feedback ratings should be targeted for remedial action.

Establish a formal disciplinary process
All staff should be made aware that any abuse of the organisation’s security policies will result in disciplinary action being taken against them.

Managing user privileges – Some of you might say, “Why do we need to prevent colleagues from accessing certain areas on the systems or internet?” Well… If an important file gets corrupted or deleted by accident, it can cause a huge dilemma in the office! Managing user privileges stops your colleagues from accessing certain files on a computer, such as not being able to get into the programme files that could cause serious damage to a computer they are using or even a server! This won’t prevent anyone at the office from being able to work, however It will only prevent the worst from happening.

Malware Prevention –Malicious Software are hidden files that latch onto a computer or system and infect it with a Virus, Trojan, Ransomware etc. Malicious Software has many ways of getting on to your system and you want to contain viruses before they reach the core of your infrastructure. So how can we barricade computers getting viruses? We recommend that every computer has Anti-Virus software installed, such as MacAfee or our Managed Antivirus services to prevent your system from being in harm’s way.

Monitoring Systems – If there is a document that is highly valued to the business and if someone were to get a copy of this file it could potentially put the business at risk, what impact do you think it could have? Money Loss, Downtime, you name it. It can happen if nothing is being monitored. So, how would one cease this from happening? Monitoring Systems allow you to see where files have been transferred and who has transferred them, and can also block users if they are doing something that is against the rules. This will give you the upper hand if you have noticed files being deleted or a security issue that keeps occurring.

Disaster Recovery and backups – Files can always be lost, but it’s how it is recovered and how long it takes that makes the issue important. In some cases, I have seen Businesses lose all of their data and have no way of recovering it, which then causes a major downtime that leads to loss of money or even closure. We all know that work keeps the food on the table and roof over your head and we want to make sure that no one is affect by data loss or any significant issues caused by Cyber Attacks or Downtime.

Educating Colleagues – I know you’ve probably heard this over and over, but educating users on how to use a computer correctly can prevent security threats from happening. From Social Media sites to Websites, these can cause security breaches within businesses. As Social Media sites grow every year threats occur more often and can be a large issue if used within a business environment. Attackers have set up accounts where they will either obtain email address or social media profile and then send an attachment which contains a virus. Without knowing the process, the hackers can carry out deploying viruses on computers so that they become vulnerable to a devastating attack.

This article has been shared from the UK governments Centre for the Protection of National Infrastructure (CPNI) – the website is full of advice as to how businesses can better prepare for a disaster. Find out more at http://www.cpni.gov.uk/

Response pack

Article Summary

A Response pack should include key documents and items that may be needed by those who will manage the incident room or work with the emergency services. Example contents are set out below, however these lists are not exhaustive and other items should be added as required.

Documents:

Business Continuity Plan and Communications Plans
Contact details for nominated response staff, plus list of all employees, their home and mobile numbers
Emergency services contact details
Details of any local utility companies, emergency glaziers, salvage organisations,building contractors, local authority contingency planners Building plans, including the location of gas, electricity and water shut off points and heating and ventilation controls. Also, any protected areas where staff will be sheltered.
A recent stock and equipment inventory
Financial and banking information
Product lists and specifications

http://www.supremesystems.co.uk/wp-content/uploads/2016/01/istock.jpg480480amaishttp://www.supremesystems.co.uk/wp-content/uploads/2016/01/logo.pngamais2016-02-22 15:24:272016-09-21 08:20:13DISASTER RESPONSE PACK – WHAT YOU SHOULD INCLUDE

If you are a bit of a history enthusiast then you may be aware that the tablet device is not a recent development in the world of computing. The first patent for the tablet design was in fact issued around 1888 and since then the tablet has been through various trials and tribulations which had threatened its sustainability on the consumer market. In 2002 Microsoft decided to implement a version of Window XP which was not as successful as they had hoped. Around this time tablet designs were often considered to be clumsy in the sense of heavy builds and insufficient software capabilities. However, the development of cloud technology allowed manufactures such as Apple to marry a healthy relationship between cloud applications and tablet computers, giving birth to the iPad. As you may be aware vital data is normally stored on cloud servers allowing easy access using multiple devices and locations. If this is the case, then it would be wise to ensure that the operating hardware remains effective to accommodate good screen resolution, sufficient processing power and hand-held comfort ability. If you are one for fancy aesthetics then this value will be presented in the cost of your investments. Otherwise a mid-range tablet should be priced quite reasonably, packing enough punch to allow efficient online activity without you gaining square eyes and saw wrists.

To conclude, the power of cloud technology enterprises such as Google and Amazon, have only increased an appetite for cloud convenience with their respective online services. The popularity of utilizing these services has helped to breed a familiar relationship with most tech competent consumers who often systematically log in and out of cloud based applications in order to satisfy their social, entertainment and business needs. The only thing left to consider is will we see a shift in the value businesses place on merging tablet devices and cloud technology for increased work based productivity

The Benefits of adopting mobile devices within the workforce is becoming extremely popular as businesses are striving to find innovative ways to increase employee productivity. This can mean employees working more flexibly in a highly dynamic business environment or responding to real-time information at the ‘wisp of a wand’. The devices available to achieve such things are mainly dependent on individual business needs, nonetheless, still remaining accessible to all. With this being said I have listed 10 ways in which businesses can mobilize their workforce using technology.

1. Tablet PC’s – These devices are similar to notebooks but their wireless capabilities and intuitive touch screen user interfaces make you feel right at home. For the real business savvy, tablet computers are no stranger to fully functional operating systems such as Windows and being highly compacted are adaptable to your work-space layout.

2. Laptops and Notebooks – Another great addition to office mobility, offering powerful alternatives to desktop computers with excellent software handling capabilities. Laptops come in a huge variety of sizes, specifications and designs which you can use to your advantage.

3. PDA’s – The Personal Digital Assistant or PDA could be thought of as the predecessor to the modern day smart phone. PDA’s often pack large screens operated by their stylus counterpart and are capable of running limited versions of office software. Additionally the PDA’s offer remote access to email, schedules and documents through WIFI or Bluetooth connectivity.

4. 3G Phones – 3G stands for 3rd generation and currently dominates contemporary mobile broadband connectivity. The main benefit of 3G devices are that they are always connected to the internet and offer quick access to web pages.

5. GPRS – The General Packet Radio Service is the predecessor to 3G technologies which also allows mobile phone users to connect to the internet on the move. GPRS devices are an alternative to 3G as they are normally a more cost effective way to communicate business initiatives between employees.

6. WIFI – A name given to given to a group of standards, which governs the use of wireless technology and effectively revolutionising how we communicate today. WIFI technology offers users super quick access to the Internet and is widely available to the public through the development of WIFI hotspots.

7. Extranets – Essentially this is a private network in which businesses can operate using a standard Internet browser. The information included on an Extranet network may include product information, pricing and payment processes. Obviously concerns about network security may be an issue but Extranets combat this with password protection and structured levels of permeable access.

8. VPN –Virtual Private Networks offer a secure way to deliver remote access to private networks. Again, security threats are stabilized with high end encryption which leaves you to concentrate on collaborating with your virtual workforce.

9. Bluetooth – Bluetooth wireless technology uses radio waves to allow instant connection with other Bluetooth compatible devices. The great thing about this way of communication is that no phone or Internet connection is needed. Therefore activities such sharing contact information and mobile printing becomes as easy as can be.

10. Cloud Service Providers – These are companies which manage an online infrastructure where clients have the ability to manage, create and share information through a range of web based applications.

If you did not know, Microsoft Office 356 delivers cloud productivity to businesses of all sizes and as an external provider of cloud services it is important to consider what security measures are actively in place to help protect customer data . The areas which normally arise with regards to security usually include data protection, privacy and data ownership. Therefore this blog has been written to identify the measures Microsoft has taken to respond to these concerns.

The current challenges in relation to cloud security include an increasing trend in mobile access to information, which has created a haven for cyber-crime. In order to maintain maximum precaution, strategies to research, monitor and prevent emerging threats are needed which means time and money for any organisation. This is where a program like Office 365 comes in. Microsoft invests a lot of money into its data center’s where the need for secure access is a highly communicated initiative. This also includes anti-spam and anti-virus technology which has been automated to counteract virtual threats.

No stranger to online services, Microsoft have gained considerable experience since the introduction of MSN in 1994. Recognizing that security is an on-going process, measures were taken to protect data from harm, whether a natural disaster or unauthorized access. This was done by a committed approach to monitoring data infrastructures, applying industry practices and investments in high-end technology in order to keep data safe. This also meant security needed to be built into the software from the start to further increase security. As Office 365 has been designed for secure access over the Internet, users have the option of creating strong passwords to enforce data protection. Alternatively users can also apply for a Federated ID which aims to increase security measures by actively monitoring on-premise-access to the system. And if this is not enough, Office 365 software hosts a range of in-built encryption’s which comply with all necessary daily activities such as emailing, documenting and even voice-mail messages. Considering the above, it seems that Office 365 covers a wide range of security initiatives designed to make the user feel at ease when it comes to handling data. Data security will always remain a major concern for businesses of all sizes and the need for high security initiatives by external cloud services should not be ignored. As demonstrated, Microsoft Office 365 is one example of a forward thinking company who takes into account the vulnerability of cloud business applications only to provide effective on going solutions. And just in case I missed it out, Office 365 wholeheartedly emphasizes user responsibility where their Trust Center provides highly valuable information on how you can increase effective handling of sensitive data.